Citation or identification of any reference in this Section or any section of this Application shall not be construed to mean that such reference is prior art to the present invention.
A Wireless Local Area Network (WLAN) enables network devices to communicate with each other wirelessly, typically by radio. A WLAN typically includes a wired portion and a wireless portion. The wired portion is typically connected (for example, via a router and/or firewall) to a larger network, such as a business wide-area network, and/or the Internet.
The wireless portion of a WLAN typically includes at least one access point and at least one mobile unit. An access point is a wireless device that provides WLAN connectivity to mobile units. An access point is typically physically connected to the wired portion of the WLAN and capable of transmitting and receiving communications between a wired portion of the WLAN and a wireless portion of the WLAN. However, some access points are configured as repeaters, and lack a physical connection to a wired portion of the WLAN, instead connecting to the WLAN via another access point. As used here, a mobile unit is a wireless device (whether actually mobile or not) capable of communicating wirelessly with an access point or other device on a WLAN, and which is at least part of the time not physically wired to the wired portion of the WLAN. Mobile units generally do not provide WLAN connectivity to other mobile units. Each access point is capable of communicating with wireless devices within its cell (operating range). The set of mobile units within an access point's cell and the access point is usually referred to as the Basic Service Set (BSS). If a second access point connected to the wired portion of the WLAN is within the cell of the first access point, the BSS of the first access point will overlap with the BSS of the second access point. Typically each access point in this arrangement will be capable of detecting the other access point, and mobile units may move from the first cell to the second cell without breaking communication with the network. A set of network devices, including at least two access points, capable of wired and/or wireless communications with each other is usually referred to as the Extended Service Set (ESS).
Interoperability between access points and mobile units from different manufacturers is enabled by designing each access point and mobile unit to a common standard such as IEEE 802.11. The IEEE 802.11 standards define a common set of services that roughly corresponds to OSI layers 1 (physical) and 2 (data link). Widespread adoption of the 802.11 standard has resulted in the rapid growth of WLAN implementations.
The ability to access network resources without a physical connection to the network increases the security risks to the network because controlling physical access to all mobile units capable of communicating with access points in a WLAN is generally difficult or impossible. Furthermore, the wireless portion of the WLAN is typically based on radio signals that may be received by any device capable of receiving and/or transmitting such a signal.
Network security administrators have recognized the potential security risks of attaching access points to their LANs and usually implement basic procedures to ensure network security such as maintaining a database of authorized devices connected to the LAN such as an Access Control List (ACL). The ACL is commonly implemented as an electronic data structure maintained by an enterprise network manager executing on the wired portion of the network.
The administrator's job is further complicated by the low cost and relative ease of installing an access point for a local work group. Many access points (e.g. 802.11 access points) use a simple bridging protocol and can be added to a compatible wired network without any centralized control or action. Moreover, many inexpensive access points are very difficult to detect once installed. Many local work groups install an access point onto the existing company network, not appreciating the increased risk to the entire network created by the newly attached rogue access point, without bothering to inform the network administrator of the rogue access point. Moreover, the rogue access point is often configured using settings such as factory default settings that do not conform to the security settings of the authorized network devices and therefore represents a serious security risk to the entire network.
Network administrators usually have at least one network management utility that is capable of discovering most of the network devices attached to the network. Almost all such utilities, however, require either a query/response between the management agent and the network device or an agent executing on the network device and reporting to the management agent. Many inexpensive access points, however, are not configured to respond to standard management queries and are therefore very difficult to detect.
Therefore, there exists a need for the detection of unauthorized rogue access points connected to a network.